Internal threats cause losses in the millions, requiring new models of surveillance, security culture, and risk management in organizations.
*Per Luiz F. Freitas-Gutierres
An insider threat originates from current or former employees who, due to having privileged access, can interact directly with an organization's assets, networks, and data. insider Malicious acts generally involve motivations associated with espionage, misappropriation or exfiltration of intellectual property, unauthorized disclosure of sensitive information, sabotage of processes or assets, fraud, as well as acts of violence or intimidation in the workplace. — all characterized by the potential to compromise the organization's cybersecurity. Consultants, partners, and third-party service providers can also represent potential vectors of insider threats. These threats can be intentional or unintentional, and not all activities are necessarily malicious. In some cases, incidents result from untrained personnel or unintentional errors that compromise the confidentiality, integrity, or availability (CIA) of information technology (IT) and/or operational (OT) systems.
Recent research Studies reveal that most organizations faced at least one insider threat during 2024, and that the average remediation cost after an insider attack ranged from US$100,000 to US$499,000 for most of them. However, there are instances where the average cost exceeded US$1 million, and some institutions suffered more than six insider attacks in 2024. Consequently, the financial impact can be severe and, unfortunately, reflects a trend.
Internationally, CrowdStrike announced, in November of this year, to have identified a insider who externally shared screenshots of their computer. Simultaneously, screenshots of CrowdStrike systems were posted on Telegram by alleged members of cybercrime groups, such as Scattered Spider and LAPSUS$.
In the Brazilian context, among the known cases, two incidents against the financial sector involving insiders during the year 2025. In June 2025, the event occurred. case of C&M Software, which resulted in unauthorized access to reserve accounts belonging to at least six financial institutions, culminating in the misappropriation of more than R$ 800 million. The breach was facilitated by a insider, an employee who sold his access credentials and was subsequently bribed to execute malicious code on the organization's systems in exchange for R$ 15,000.
The second incident involved the seizure of a cell phone and a notebook belonging to an employee of Banco do Brasil, who allegedly demanded R$ 1 million to facilitate a cyber intrusion into banking systems by selling his access credentials to malicious actors. According to the information released, Banco do Brasil detected and stopped the attempt through internal monitoring mechanisms, immediately notifying the relevant authorities.
In the field of OT networks and industrial control systems (from English, industrial control systems [ICS]), the Maroochy incident, widely known within the industrial cybersecurity community. This incident occurred in what was then the Maroochy Shire, Australia, between February and April 2000, and involved a insider Malicious. The individual sabotaged the operation of the community's sewage control systems, resulting in the dumping of over 800,000 liters of untreated sewage into parks, rivers, and residential areas. Reports indicated significant environmental consequences, particularly affecting the region's marine life. Witnesses reported the darkening of streams and an intense odor, considered unbearable by nearby residents.
Whether in a bank's corporate network or a steel mill's industrial network, it should not be assumed that employees exhibit such a degree of loyalty that they can never be influenced by ideologies, changes in alignment, or personal incentives that could characterize them as internal threats. Similarly, no employee behavior monitoring program is fully capable of preventing the actions of an... insider Under duress or coercion. Managers and security teams should not assume that established rules and procedures are being strictly followed. In certain circumstances, competing priorities may lead supervisors to instruct their teams to relax security policies to meet goals. Similarly, employees may fail to fully comply with security guidelines for various reasons, including the perception that such flexibility would increase productivity or reduce potential inconveniences in the performance of their duties.
The main security measures against insider threats include adopting security awareness programs aimed at the continuous training of employees, and, in a more structured way, implementing an internal risk management program. This program should cover the tracking, monitoring, and recording of user interactions with the organization's assets, as well as the implementation of access controls compatible with the criticality level of IT and OT systems.
For additional information on insider threats and strategies for mitigating these risks, it is recommended to consult the third publication of the 2025 volume of [reference to relevant publications]. Ind.Cyber.Sec Letters, entitled Understanding Insider Threats.
Luiz F. Freitas-Gutierres is a researcher at ABES Think Tank and Adjunct professor in the Department of Electromechanics and Power Systems (DESP) at the Federal University of Santa Maria (UFSM).
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
Article originally published on the IT Forum website: https://itforum.com.br/colunas/ameacas-internas-risco-crescente
